You are here: Home > CLI Commands > Just_CLI_Topics > interface port-channel

interface port-channel

interface port-channel <id>

description <LINE>

gigabitethernet <slot/module/port>

ip access-group {in <name>|out <name>|session <name>|vlan <vlanId> {session <name>}}

jumbo

no ...

openflow-disable

shutdown

spanning-tree [bpduguard|cost <value>|point-to-point|port-priority <value>|portfast [trunk]|vlan {range <WORD>|<vlanid>}]

switchport {access vlan <vlan>|mode {access|trunk}|trunk {allowed vlan {<vlans>|add <vlans>|all|except <vlans>|remove <vlans>| native vlan <vlan>}

trusted {vlan [add|remove] <word>}

xsec {{point-to-point <macaddr> <key> allowed vlan <vlans> [<mtu>]}|vlan <vlan>}

Description

This command configures an EthernetEthernet is a network protocol for data transmission over LAN. port channel.

Syntax

Parameter

Description

Range

Default

<id>

ID number for this port channel.

0-7

description <LINE>

A character string describing this port-channel.

up to 60 characters

gigabitethernet <slot/module/port>

Adds the specified GigabitEthernet interface to the port channel.

ip <access-group>

Applies the specified ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. to the interface. Use the ip access-list command to configure an ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port..

This command requires the PEFNGPolicy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license.

in <name>

Applies ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. to interface’s inbound traffic.

out <name>

Applies ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. to interface’s outbound traffic.

session <name>

Applies session ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. to interface and optionally to a selected VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. associated with this port.

vlan <vlanId> {session <name>}

Applies session ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. to VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..

1-4094

jumbo

Enables or disables jumbo frame MTUMaximum Transmission Unit. MTU is the largest size packet or frame specified in octets (eight-bit bytes) that can be sent in networks such as the Internet. configured via firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. on a port channel.

 

Disabled

no

Negates any configured parameter.

openflow-disable

Enables or disables Openflow on the port channel.

disabled

shutdown

Causes a hard shutdown of the interface.

spanning-tree

Enables spanning tree.

bpduguard

Enables BPDUBridge Protocol Data Unit. A BPDU is a data message transmitted across a local area network to detect loops in network topologies. guard on the port channel.

Disabled

cost <value>

Specify the cost value of the spanning tree path for an interface.

1 - 65535

point-to-point

Configures the interface as a point to point link.

port-priority <value>

Specify the spanning tree priority for the interface.

0 - 255

portfast [trunk}

Enables forwarding of traffic from the interface. Optionally you can choose a trunk port for forwarding the traffic.

vlan {range <WORD> | <vlanid>}]

Configure a VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. instance or a range of VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. IDs for the

switchport

Sets switching mode parameters for the interface.

access vlan <vlanId>

Sets the interface as an access port for the specified VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.. The interface carries traffic only for the specified VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..

mode {access | trunk}

Sets the mode of the interface to access or trunk mode only.

port-security maximum <num>

Sets the maximum number of MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.  addresses that can be configured on the port channel.

16-32768

trunk {allowed vlan

{<vlans>|add <vlans>|all|except <vlans> |remove <vlans>}|native vlan <vlan>}} 

Sets the interface as a trunk port for the specified VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.. A trunk port carries traffic for multiple VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. using 802.1q tagging to mark frames for specific VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.. You can include all VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. configured on the managed device, or add or remove specified VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.. Optionally you can specify the native VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. for the trunk mode interface. Frames on the native VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. are not 802.1q tagged.

trusted

Set this interface and range of VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. to be trusted. VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. not included in the trusted range of VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. will be, by default, untrusted.

Trusted ports and VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. are typically connected to internal controlled networks, while untrusted ports connect to third-party APs, public areas, or other networks to which access controls should be applied. When Aruba APs are attached directly to a managed device, set the port to be trusted.

disabled

vlan [add|remove] <word>

Sets the specified range of VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. as trusted. All remaining become untrusted automatically.

For example, if you set a VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. range as:
vlanVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. 1-10, 100-300, 301, 305-400, 501-4094

Then all VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. in this range are trusted and all others become untrusted by default. You can also use the no trusted vlan command to explicitly make an individual VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. untrusted. The no trusted vlanVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. command is additive and adds given vlansVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. to the existing untrusted vlanVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. set.

However, if you execute the trusted vlan <word>command, it overrides any earlier untrusted VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. or a range of untrusted VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. and creates a new set of trusted VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..

A port supports a user VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. range from 1-4094. If you want to set all VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. (1-4094) on a port as untrusted then mark the port itself as untrusted. By default the port and all its associated VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. are trusted.

1-4094

xsec

Enables and configures the Extreme Security (xSec) protocol.

You must purchase and install the xSec software module license in the managed device.

point-to-point

MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the device that is the xSec tunnel termination point, and the 16-byte shared key used to authenticate the device to each other. The key must be the same on both devices.

allowed vlan

VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. that are allowed on the xSec tunnel.

mtu

(Optional) MTUMaximum Transmission Unit. MTU is the largest size packet or frame specified in octets (eight-bit bytes) that can be sent in networks such as the Internet. size for the xSec tunnel.

vlan

xSec VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID. For managed device-to-managed device communications, both managed devices must belong to the same VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..

1-4094

Usage Guidelines

A port channel allows you to aggregate ports on a managed device. You can configure a maximum of 8 port channels per supported managed device with a maximum of 8 interfaces per port channel.

Note the following when setting up a port channel between a managed device and a Cisco switch (such as a Catalyst 6500 Series Switch):

There must be no negotiation of the link parameters.

The port-channel mode on the Cisco switch must be “on”.

Example

The following command configures a port channel:

(host) (config) #interface port channel 7

(host) [mynode] (config-submode)#gigabitethernet 0/0/1

(host) [mynode] (config-submode)#gigabitethernet 0/0/2

Command History

Release

Modification

ArubaOS 8.2.0.0

Updated the new syntax as ip access-group {in <name>|out <name>|session <name>|vlan <vlanId> {session <name>}}.

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platforms

License

Command Mode

All platforms

This command is available in the base operating system. The ipaccess-group parameter requires the PEFNGPolicy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license. The xsec parameter requires the xSec license.

Config mode on Mobility Master.

/*]]>*/